SEARCH ALPHABETICALLY

FILTER BY

Featured Industries

Fresh water is becoming a scarce resource in the United States and across the globe as demand continues to rise due to population and business growth. This emergent scarcity means businesses will face more consequences of the complex regulatory and legal frameworks governing water use and water quality.

Michael Best’s Water team understands those issues. We guide clients through the heavily regulated, politically sensitive environment surrounding the management of, investment in, and development of water resources.

Featured Industries

From artificial intelligence (AI) and machine learning to autonomous vehicles, virtual reality, and cryptocurrency, the rapid evolution of technology shows no sign of slowing down. Companies in the digital technology sector are among the world’s most highly valued companies, with good reason. And businesses in every sector now use digital technology in all kinds of ways, from basic email to sophisticated data analytics.

Featured Practice

To prevail in litigation, clients need exceptional representation both inside and outside the courtroom. With more than 40 lawyers and other professionals, our seasoned Litigation practice group provides battle-tested service and representation for nearly any type of dispute.

Blogs

Publication

October 31, 2017Client Alert

Biometric Privacy Act Spawns Litigation

In the good old days, biometric security was the stuff of movie fantasy. Sean Connery used a fake fingerprint to foil a scanner in Diamonds Are Forever. Tom Cruise got an eye transplant and gruesomely carried his old eyeballs in a plastic bag to trick a retinal scanner in Minority Report. Ewan McGregor is a clone who uses facial recognition to pass for the person he doubles in The Island.

But today, biometric security is not so fantastic. In fact, it has made its way into the workplace in fairly ordinary applications. More employers are using biometric technology to clock workers in and out and improve payroll accuracy, or restrict access to sensitive work spaces. Biometrics aren’t just for Hollywood any more.

The Illinois Biometric Information Privacy Act

With the increased use of biometric security comes increased privacy concerns, and increased state regulation. Many states have adopted laws requiring notification when personal identifying information, defined to include biometric data, is disclosed to third parties. Illinois has gone a step further with the Biometric Information Privacy Act (“BIPA”).

Passed in 2008, BIPA has been described as the most stringent regulation of the collection, use and storage of biometric identifiers and information. Prompted by the increased use of biometrics in financial and retail transactions, the Illinois legislature expressed concern regarding potential permanency when biometric data is breached. “Social security numbers, when compromised, can be changed. Biometrics, however are... unique to the individual; therefore once compromised, the individual has no recourse, is at increased risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” 740 ILCS 14/5 (c). Although prompted by concerns over market transactions using this data, BIPA’s reach has extended into the labor market as more employers use this technology in their daily business.

The Act governs the “collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and information.” 740 ILCS 14/5(g). “Biometric identifiers” are defined to include “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” but exclude “writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions.” 740 ILCS 14/10. “Biometric information” includes “any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.” Id.

BIPA requires any private party that collects or obtains biometric identifiers or information to:

inform the subject in writing that the identifier or information is being collected or stored,

inform the subject in writing specifically why and for how long it is being collected, stored or used, and

obtain the subject’s written consent.

740 ILCS 14/15(b).

The Act also prohibits any private entity from:

(1) selling, leasing, trading “or otherwise profit[ing] from a person’s or a customer’s[1] biometric identifiers or information,” or

(2) disclosing or disseminating biometrics without the subject’s consent, unless required by law or pursuant to a valid warrant or subpoena.

740 ILCS 14/15(c)-(d).

BIPA sets a standard for the handling of biometric identifiers or information. It requires any private entity in possession of biometric identifiers or information to use reasonable care to “store, transmit and protect [them] from disclosure.” The standard for safeguarding this data is that used “within the private entity’s industry” and the security methods must be “the same or more protective than the manner in which the private entity stores, transmits and protects other confidential and sensitive information.[2]” 740 ILCS 14/15(e). Private entities that possess biometric identifiers or information must adopt a written policy that creates a retention schedule and guidelines for permanently destroying the data once the original purpose for collecting them has been satisfied or within three years of the subject’s last interaction with the entity, whichever comes first. 740 ILCS 14/15(a). The entity must comply with this retention schedule unless a valid subpoena or warrant requires the data’s preservation. Id.

BIPA’s Private Action

Of particular significance to financial institutions, retail merchants, employers and others who use biometric information, BIPA provides for a private right of action that allows “any person aggrieved by a violation of this Act” to recover $1,000 for each negligent violation and $5,000 for each reckless violation, or their actual damages, whichever is greater. 740 ILCS 14/20. The Act also allows the prevailing party to recover attorney’s fees and costs, including expert fees and other litigation expenses. Id.

This provision has accounted for a recent uptick in litigation as plaintiff’s counsel have filed class actions against various tech companies and employers. Recent defendants have included Google, L.A. Tan, Shutterfly, Facebook and others. In the third quarter of 2017 alone employers Speedway LLC, Superior Air-Ground Ambulance Service, ABRA Auto Body & Glass and over twenty others have been sued in class actions filed in Illinois state courts for BIPA violations.

While these class actions are a relatively new phenomenon and it is difficult to predict how the law will develop, BIPA’s liquidated damages provisions apply per violation, and therefore can quickly aggregate into significant liabilities when multiplied across an employer’s workforce or company's customer base. As a result, both employers and market participants who employ this technology in their businesses have every incentive to ensure compliance with BIPA’s directives. That compliance should start with adoption of an adequate and written data retention policy. Employers should develop human resources forms and procedures that ensure they are providing the required written notifications before or at the time the biometric information is collected or used. They also must take steps to ensure that they are, at a minimum, using the technology and procedures others in their market employ to protect the confidentiality of this data. Indeed, employers would be well served by attempting to be a market leader in this area. If the technology is worth using in your business, it is worth the extra time to ensure it is being employed safely and in compliance with the law. With a bit of planning, companies using biometric technology in Illinois can look to the silver screen for their suspense and intrigue, and not the court system.

[1] The author is unsure how a customer with biometric identifiers or information would be anything other than a person, so perhaps this qualifier was unnecessary.

[2] "’Confidential and sensitive information’ means personal information that can be used to uniquely identify an individual or an individual's account or property. Examples of confidential and sensitive information include, but are not limited to, a genetic marker, genetic testing information, a unique identifier number to locate an account or property, an account number, a PIN number, a pass code, a driver’s license number or a social security number.” 740 ILCS 14/10.

Related People

Jim’s broad litigation experience spans commercial litigation, professional and product liability defense, as well as representing individuals and corporations in state and federal investigations. He brings a unique skillset in criminal matters to his practice, having served as an Assistant U.S. Attorney in the Northern District of Illinois, and with an extensive background in federal criminal matters. His clientele spans retail banks, nursing homes and other healthcare providers, and manufacturers of medical and industrial products.

Related Practices

Any information you convey to Michael Best & Friedrich LLP via the internet may not be secure, and any information conveyed prior to establishing an attorney-client relationship may not be privileged or confidential. The establishment of an attorney-client relationship requires prior satisfaction of multiple factors, including resolution of conflicts and mutual agreement on the terms of the engagement. Before speaking with a Michael Best attorney, please do not convey any more information than is reasonably necessary to describe generally the matter, and to identify the adverse parties. Please do not convey any information you deem as confidential. Please click the “Accept” button below to confirm that you understand and accept the foregoing statement and wish to proceed in sending a message.